OSSA-2013-023: Denial of Service using XML entities in Nova/Cinder extensions

Date:

August 08, 2013

CVE:

CVE-2013-4179, CVE-2013-4202

Affects

• Nova: Grizzly and later

• Cinder: Grizzly and later

Description

Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected.

Patches

• https://review.openstack.org/#/c/40880 (Grizzly)

• https://review.openstack.org/#/c/40883 (Grizzly)

• https://review.openstack.org/#/c/40879 (Havana)

• https://review.openstack.org/#/c/40881 (Havana)

Credits

• Grant Murphy from Red Hat (CVE-2013-4179, CVE-2013-4202)

References

• https://launchpad.net/bugs/1190229

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202